Double phase encoding quantum key distribution

ABSTRACT

A laser pulse representing a bit of a quantum key is split into two pulses. In addition to known round trip phase encoding schema, a secret phase key is modulated into one of the two pulses: P 1  and P 2 . The secret phase key is used to identify whether the returning pulses originated from the sender, i.e., whether the key distribution has been attacked by an eavesdropper. A secret key phase modulator randomly modulates pulse P 1 . An attenuator then reduces the average photon number of the modulated pulse P 1  to a selected level greater than one to increase the likelihood of efficient, successful transmission while reducing the possibility of eavesdropping, e.g., μ=10. Both pulses P 1  and P 2  are sent to the intended recipient and reflected to the sender. Pulse P 2  is modulated upon return to the sender using the same secret phase key previously modulated into pulse P 1 . Therefore, when both pulses meet together at a coupler/beamsplitter of the sender, both pulses should contain the same secret key in their phase and therefore exhibit no resulting phase difference if the photon pulse is the same pulse originated by the sender. If the returning pulse is not the pulse originated by the sender then phase differences indicative of a so-called intercept-resend attack applied by an eavesdropper EVE are indicated by a large quantum bit error rate (“QBER”) will be detectable. If EVE applies photon-split attack, the secret phase key modulated by the sender prevents Eve from knowing the encoded key information in the photon(s). Therefore, double phase encoding QKD enables use of multi-photon pulses without unacceptable loss of security, thereby enhancing QKD bit rate.

FIELD OF THE INVENTION

This invention relates generally to the field of network communications,and more particularly to cryptology.

BACKGROUND OF THE INVENTION

Public key encryption is currently a popular technique for securenetwork communications. Public key encryption utilizes “one-wayfunctions” that are relatively simple for computers to calculate, butdifficult to reverse calculate. In particular, a one way function f(x)is relatively easy for a computer to calculate given the variable x, butcalculating x given f(x) is difficult for the computer, although notnecessarily impossible. Some one way functions can be much more easilyreverse calculated with the assistance of particular “trap door”information, i.e., a key. Public key cryptography utilizes such one-wayfunctions in a two-key system in which one key is used for encryptionand the other key is used for decryption. In particular, the one-wayfunction is a “public key” which is openly advertised by Node A for thepurposes of sending encrypted messages to Node A. The trap door key is a“private key” which is held in confidence by Node A for decrypting themessages sent to Node A. For two-way encrypted communications each nodeutilizes a different public key and a different private key. Oneadvantage of this system is that secure key distribution is notrequired. However, advances in the capabilities of computers tend toerode the level of security provided by public key encryption becausethe difficulty of reverse calculating the one-way function decreases ascomputing capabilities increase.

It is generally accepted in the field of cryptology that the most secureencryption technique is the Vernam cipher, i.e., one-time pad. A Vernamcipher employs a key to encrypt a message that the intended recipientdecrypts with an identical key. The encrypted message is secure providedthat the key is random, at least equal to the message in length, usedfor only a single message, and known only to the sender and intendedreceiver. However, in modern communication networks the distribution ofVernam cipher keys is often impractical, e.g., because the keys can bequite long and key distribution itself is subject to eavesdropping.

One technique for secure key distribution is known as Quantum KeyDistribution (“QKD”). Quantum Key Distribution transmits an individualphoton for each bit of the key being distributed to an intendedrecipient. The photons may be polarization modulated in order todifferentiate logic 1 from logic 0. Distribution of the quantum key issecure because of the laws of quantum physics. In particular, it is notpossible to measure an unknown quantum state of a photon withoutmodifying it. Hence, an eavesdropper attempting to intercept the keywould introduce detectable errors into the key. Unfortunately,photon-per-bit key distribution is so inefficient with currenttechnology as to be impractical. This is due in-part to the attenuationtechnique and equipment used to generate a single photon pulse. Inparticular, in order to avoid transmitting more than one photon theattenuator must be set such that about 91% of the attempted pulsesgenerate zero photons.

SUMMARY OF THE INVENTION

In accordance with the invention, a method of Quantum Key Distributionto a target device, comprises the steps of: generating a pulse havingmultiple photons, the pulse representing at least one bit indicative ofthe Quantum Key; splitting the pulse into first and second sub-pulses;modulating the first sub-pulse on a first basis with a secret key;transmitting both the first and second sub-pulses to the target device;receiving the first and second sub-pulses back from the target device;modulating the second sub-pulse on the first basis with the secret key;and comparing the first and second sub-pulses to detect modulationmismatch of the first basis.

A network architecture operable to distribute a Quantum Key inaccordance with the invention comprises: a first device including: alaser operable to generate a pulse having multiple photons, the pulserepresenting at least one bit indicative of the Quantum Key; a coupleroperable to split the pulse into first and second sub-pulses; a firstmodulator operable to modulate the first sub-pulse on a first basis witha secret key; a port operable to transmit both the first and secondsub-pulses to the target device; a port operable to receive the firstand second sub-pulses back from a target device; logic operable toprompt modulation of the second sub-pulse on the first basis with thesecret key; and logic operable to compare the first and secondsub-pulses to detect modulation mismatch of the first basis.

A general advantage of the invention is more efficient and practical keydistribution. Efficiency is enhanced because multiple photons can beused to represent each bit of the key. Using multiple photons enable useof attenuator setting that are less likely to result in zero photons(complete attenuation). Security is maintained using multiple pulses perbit because attempted eavesdropping can be detected from phasemismatches in the key pulses returned to the sender. Another advantageof the invention is that the need for active polarization compensationis obviated. In particular, since the initial pulse is split into twopulses which traverse the same round-trip path there is no need forpolarization compensation. Further, the same laser can be employed forboth synchronization and key distribution. Other advantages will beapparent in view of the following detailed description.

BRIEF DESCRIPTION OF THE FIGURES

FIGS. 1 and 2 are block diagrams illustrating distribution of a quantumkey from node Bob to node Alice, wherein FIG. 1 shows processing ofpulse P1 and FIG. 2 shows processing of pulse P2.

DETAILED DESCRIPTION

FIGS. 1 and 2 illustrate a node Alice (100) and a node Bob (102) of acommunications network. Alice and Bob employ double phase encodingquantum key distribution (“QKD”). Alice, the sender of the quantum key,includes a phase modulator PMa (104) and a Faraday Mirror (106). Bob,the recipient of the quantum key, includes an attenuator (108), phasemodulator PMb (110), phase modulator PMs (112), Polarization BeamSplitter (“PBS”) (114), a coupler (116), a laser diode (118), and photondetectors D0, D1 (120, 122).

A series of short laser pulses is employed for quantum key distributionbetween Bob and Alice. The short laser pulses are generated by the laserdiode (118). Considering now the case of a single pulse from the laserdiode, coupler C1 (116) splits the pulse into two pulses: P1 and P2.Pulse P1 is transmitted via the long loop and P2 is transmitted via theshort loop.

Referring now to only FIG. 1, the phase modulator PMs (112) modulates arandomly-selected secret phase key Φs into the pulse P1 once it passesit. The secret phase key Φs is unknown to Alice and is used only by Bob.Although the secret phase is randomly generated, it should differ fromany phase sequence modulated by phase modulators PMa and PMb, e.g.,shift from the bases B1(0, π) and B2(π/2, 3 π/2). Phase modulator PMb(110) is inactive at this time. The horizontal polarization of pulse P1is reflected by PBS (114) to the attenuator (108). The attenuatorreduces the average photon number in pulse P1 to a selected level whichis greater than one, so as to increase the likelihood of efficient,successful transmission, but not so large as to enable easyeavesdropping, e.g., μ=10. After suitable attenuation the pulse P1 isfed to an optical fiber (Q-channel).).

Alice is operable to receive pulse P1 from the optical fiber and enablephase modulator PMa (104) to modulate a phase shift ø1, selectedrandomly from bases B1 and B2 based on Alice's key bit. Faraday Mirror(“FM”) (106) then reflects P1 back and flips its polarization, i.e., achange of π/2. The resulting pulse P1 is then transmitted back to nodeBob (102).

Node Bob (102) is operable to receive pulse P1 from node Alice (100).The PBS (114) is operable to transmit the returning pulse P1 to theshort loop due to the polarization flip by FM (106) and subsequently tothe coupler (116) where a combination is made with returning pulse P2.

Referring now to FIG. 2, after being generated at the coupler (116),pulse P2 takes the short loop at node Bob. The PBS (114) transmits thevertical polarization of P2. Pulse P2 is then subjected to the sameattenuation as pulse P1 by the attenuator (108), e.g., μ=10. The pulseP2 travels over the optical fiber as was described above with regard topulse P1. Alice is operable to receive pulse P2 from the optical fiber.Following receipt of pulse P2 Alice is operable to flip the polarizationof pulse P2 at Faraday Mirror FM (106), i.e., a change of μ/2, andreflect the pulse P2 back onto the optical fiber. Phase modulator PMa(104) is inactive at this time. Bob is operable to receive the returningpulse P2 from Alice. The pulse P2 is reflected to the long loop at thePBS due it polarization flip at FM (106). On the long loop, phasemodulator PMb (110) modulates a phase shift of ø2 onto pulse P2, byrandomly selecting a basis from B1 (phase 0) and B2 (phase π/2). Phasemodulator PMs then modulates pulse P2 with secret phase key Φs.

Referring again to both FIGS. 1 and 2, both pulses P1 and P2 arrive atthe coupler of Bob at the same time because both pulses have traversedthe same overall round-trip path, albeit with the loops in differentorder. Further, both pulses should contain the same secret phase key Φs.The phases of the returned pulses P1 and P2 at Bob's coupler are asfollows:

pulse P1: ø1+Φs=Φ1

pulse P2: ø2+Φs=Φ2

Phase differences at Bob's coupler are then detected as follows:ΔΦ=Φ1−Φ2=ø1−ø2

ΔΦ=0: constructive interference→detector 0

ΔΦ=π: destructive interference→detector 1

ΔΦ: [0,π]→randomly detected.

After measuring the photon pulses, Bob publicly tells Alice hismeasurement types. Alice then tells Bob which are correct. If correctmeasurements are recorded in one detector, so-called one-click, there isno “intercept-resend” attack. Bob will continue BB84's error correctionand privacy amplification and find the final shared secret key.

A photon-split attack is the most dangerous attack against amulti-photon quantum key distribution because each individual photon ina pulse has 100% of the information of the encoded key bit value. Thecurrent technique uses a secret phase key Φs modulated into pulse P1 onthe way out and into pulse P2 after returning back. Because of itsrandomization of Φs, the attacker EVE can not correctly guess the secretphase key applied by Bob. Suppose that Eve uses a “photon-split” attacktechnique, i.e., Eve splits a single photon portion p1 from P1 and p2from P2. Eve needs to combine p1 and p2 together to create an originalphoton which carries quantum key information. Also suppose that Evelearns the measurement information from the public communication betweenBob and Alice and successfully guesses phase shifts ø1 and ø2. Thedifference of p1 and p2 will be ø1−ø2+φs. From here, we know that evenif EVE knows ø1 and ø2, Eve still can not get a definitely constructiveor destructive interference from p1 and p2 due to the unknown secretphase key φs. Therefore, the invention is an absolutely secure keydistribution technique, even for multi-photon pulses.

While the invention is described through the above exemplaryembodiments, it will be understood by those of ordinary skill in the artthat modification to and variation of the illustrated embodiments may bemade without departing from the inventive concepts herein disclosed.Moreover, while the preferred embodiments are described in connectionwith various illustrative structures, one skilled in the art willrecognize that the system may be embodied using a variety of specificstructures. Accordingly, the invention should not be viewed as limitedexcept by the scope and spirit of the appended claims.

1. A method of Quantum Key Distribution between a first node and asecond node, comprising the steps of: by the first node: generating apulse having multiple photons, splitting the pulse into first and secondsub-pulses; modulating the phase of the first sub-pulse with a secretkey; transmitting both the first and second sub-pulses to the secondnode; by the second node: receiving the first and second sub-pulses fromthe first node; modifying at least one of the first and secondsub-pulses; transmitting both the first and second sub-pulses back tothe first node; by the first node: receiving the first and secondsub-pulses from the second node; modulating the phase of the secondsub-pulse with the secret key; and comparing the first and secondsub-pulses to detect phase modulation mismatch.
 2. The method of claim 1wherein the modifying step includes the further step of the second nodemodulating a phase shift of the first sub-pulse selected randomly frombases B1 and B2 based on the second node's key bit.
 3. The method ofclaim 2 wherein the modifying step includes the further step of thesecond node flipping the polarization of the first sub-pulse.
 4. Themethod of claim 1 wherein the modifying step includes the further stepof the second node flipping the polarization of the second sub-pulse. 5.The method of claim 1 including the further step of generating thesecret key such that the secret key is random and equal to the QuantumKey in length.
 6. The method of claim 1 including the further step of,prior to step of transmitting both the first and second sub-pulses tothe second node, attenuating the first and second sub-pulses to reducethe number of photons to a selected number greater than one.
 7. Themethod of claim 1 including the further step of the first nodemodulating a phase shift of the second sub-pulse selected randomly frombases B1 and B2 based on the first node's key bit.
 8. The method ofclaim 1 including the further step of correlating Quantum Key bits ofthe first and second sub-pulses to facilitate quantum key distribution.9. A network architecture operable to distribute a Quantum Key,comprising: a first device including: a laser operable to generate apulse; a coupler operable to split the pulse into first and secondsub-pulses, the first sub-pulse being sent to a long loop and the secondsub-pulse being sent to a short loop; a first modulator in the long loopoperable to modulate the phase of the first sub-pulse with a secret key;a port operable to transmit both the first and second sub-pulses to asecond device, the second device being operable to modify at least oneof the first and second sub-pulses; a port operable to receive the firstand second sub-pulses back from the second device; a polarization beamsplitter operable to send the first sub pulse to the short loop and tosend the second sub-pulse to the long loop, where the phase of thesecond sub-pulse is modulated with the secret key, the first and secondsub-pulses then being combined by the coupler; and detectors operable todetect phase modulation mismatch of the first and second sub-pulses. 10.The network architecture of claim 9 wherein the second device includes aphase modulator operable to modulate a phase shift of the firstsub-pulse selected randomly from bases B1 and B2 based on a key bit. 11.The network architecture of claim 10 wherein the second device furtherincludes a Faraday mirror operable to flip the polarization of the firstsub-pulse.
 12. The network architecture of claim 9 wherein the seconddevice further includes a Faraday mirror operable to flip thepolarization of the second sub-pulse.
 13. The network architecture ofclaim 9 further including logic operable to generate the secret key suchthat the secret key is random and equal to the Quantum Key in length.14. The network architecture of claim 9 further including an attenuatoroperable to attenuate the first and second sub-pulses to reduce thenumber of photons to a selected number greater than one.
 15. The networkarchitecture of claim 9 including logic operable to correlate QuantumKey bits of the first and second sub-pulses to facilitate quantum keydistribution.
 16. The network architecture of claim 9 further includinga phase modulator operable to modulate a phase shift of the secondsub-pulse selected randomly from bases B1 and B2 based on Bob's key bit.